Configure AAA and Cert Auth for Secure Client on FTD via FMC

Introduction

This document describes the steps for configuring Cisco Secure Client over SSL on FTD managed by FMC with AAA and certificate authentication.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

• Cisco Firepower Management Center (FMC)
• Firewall Threat Defense Virtual (FTD)
• VPN Authentication Flow

Components Used

• Cisco Firepower Management Center for VMWare 7.4.1
• Cisco Firewall Threat Defense Virtual 7.4.1

• Cisco Secure Client 5.1.3.62

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

Background Information

As organizations adopt more stringent security measures, combining two-factor authentication (2FA) with certificate-based authentication has become a common practice to enhance security and protect against unauthorized access. One of the features that can significantly improve user experience and security is the ability to pre-fill the username in the Cisco Secure Client. This feature simplifies the login process and enhances the overall efficiency of remote access.
This document describes how to integrate pre-filled username with Cisco Secure Client on FTD, ensuring that users can quickly and securely connect to the network.

These certificates contain a common name within them, which is used for authorization purposes.

• CA : ftd-ra-ca-common-name
• Client Certificate : sslVPNClientCN
• Server Certificate : 192.168.1.200

Network Diagram

This image shows the topology that is used for the example of this document.

Network Diagram

Configurations

Configuration in FMC

Step 1. Configure FTD Interface

Navigate to Devices > Device Management, edit the target FTD device, config inside and outside interface for FTD in Interfaces tab.

For GigabitEthernet0/0,

• Name : outside
• Security Zone : outsideZone
• IP Address : 192.168.1.200/24

For GigabitEthernet0/1,

• Name : inside
• Security Zone : insideZone
• IP Address : 192.168.10.200/24

FTD Interface

Step 2. Confirm Cisco Secure Client License

Navigate to Devices > Device Management, edit the target FTD device, confirm the Cisco Secure Client license in Device tab.

Secure Client License

Step 3. Add Policy Assignment

Navigate to Devices > VPN > Remote Access, click Add button.

Add Remote Access VPN

Input necessary information and click Next button.

• Name : ftdvpn-aaa-cert-auth
• VPN Protocols : SSL
• Targeted Devices : 1.x.x.49

Policy Assignment

Step 4. Config Details for Connection Profile

Input necessary information for connection profile and click + button next to the Local Realm item.

• Authentication Method : Client Certificate & AAA
• Authentication Server : LOCAL
• Username From Certificate : Map specific field
• Primary Field : CN (Common Name)
• Secondary Field : OU (Organizational Unit)

Details of Connection Profile

Click Local from Add Realm drop-down list to add a new local realm.

Add Local Realm

Input necessary information for local realm and click Save button.

• Name : LocalRealmTest
• Username : sslVPNClientCN

Note: The username equals the common name within the client certificate

Details of Local Realm

Step 5. Add Address Pool for Connection Profile

Click edit button next to the IPv4 Address Pools item.

Add IPv4 Address Pool

Input necessary information to add a new IPv4 address pool. Select the new IPv4 address pool for connection profile.

• Name : ftdvpn-aaa-cert-pool
• IPv4 Address Range : 172.16.1.40-172.16.1.50
• Mask : 255.255.255.0

Details of IPv4 Address Pool

Step 6. Add Group Policy for Connection Profile

Click + button next to the Group Policy item.

Add Group Policy

Input necessary information to add a new group policy. Select the new group policy for connection profile.

• Name : ftdvpn-aaa-cert-grp
• VPN Protocols : SSL

Details of Group Policy

Step 7. Config Secure Client Image for Connection Profile

Select secure client image file and click Next button.

Select Secure Client Image

Step 8. Config Access & Certificate for Connection Profile

Select Security Zone for VPN connection and click + button next to Certificate Enrollment item.

• Interface group/Security Zone : outsideZone

Select Security Zone

Input necessary information for FTD certificate and import a PKCS12 file from local computer.

• Name : ftdvpn-cert
• Enrollment Type : PKCS12 File

Add FTD Certificate

Confirm the information entered in Access & Certificate wizard and click Next button.

Note: Enable Bypass Access Control policy for decrypted traffic (sysopt permit-vpn), so that decrypted VPN traffic is not subjected to access control policy inspection.

Confirm Settings in Access & Certificate

Step 9. Confirm Summary for Connection Profile

Confirm the information entered for VPN connection and click Finish button.

Confirm Settings for VPN Connection

Confirm the summary of remote access VPN policy and deploy the settings to FTD.

Summary of Remote Access VPN Policy

Confirm in FTD CLI

Confirm the VPN connection settings in the FTD CLI after deployment from the FMC.

// Defines IP of interface
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.200 255.255.255.0 
interface GigabitEthernet0/1
nameif inside
security-level 0
ip address 192.168.10.200 255.255.255.0

// Defines a pool of addresses
ip local pool ftdvpn-aaa-cert-pool 172.16.1.40-172.16.1.50 mask 255.255.255.0

// Defines a local user
username sslVPNClientCN password ***** encrypted

// Defines Trustpoint for Server Certificate
crypto ca trustpoint ftdvpn-cert
keypair ftdvpn-cert
crl configure

// Server Certificate Chain
crypto ca certificate chain ftdvpn-cert
certificate 22413df584b6726c
3082037c 30820264 a0030201 02020822 413df584 b6726c30 0d06092a 864886f7
......
quit
certificate ca 5242a02e0db6f7fd
3082036c 30820254 a0030201 02020852 42a02e0d b6f7fd30 0d06092a 864886f7
......
quit

// Configures the FTD to allow Cisco Secure Client connections and the valid Cisco Secure Client images
webvpn
enable outside
http-headers
hsts-server
enable
max-age 31536000
include-sub-domains
no preload
hsts-client
enable
x-content-type-options
x-xss-protection
content-security-policy
anyconnect image disk0:/csm/cisco-secure-client-win-5.1.3.62-webdeploy-k9.pkg 1 regex "Windows"
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable

// Bypass Access Control policy for decrypted traffic
// This setting is displayed in the 'show run all' command output
sysopt connection permit-vpn

// Configures the group-policy to allow SSL connections
group-policy ftdvpn-aaa-cert-grp internal
group-policy ftdvpn-aaa-cert-grp attributes
banner none
wins-server none
dns-server none
dhcp-network-scope none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-idle-timeout alert-interval 1
vpn-session-timeout none
vpn-session-timeout alert-interval 1
vpn-filter none
vpn-tunnel-protocol ssl-client 
split-tunnel-policy tunnelall
ipv6-split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
split-tunnel-all-dns disable
client-bypass-protocol disable
vlan none
address-pools none
webvpn
anyconnect ssl dtls enable
anyconnect mtu 1406
anyconnect firewall-rule client-interface public none
anyconnect firewall-rule client-interface private none
anyconnect ssl keepalive 20
anyconnect ssl rekey time none
anyconnect ssl rekey method none
anyconnect dpd-interval client 30
anyconnect dpd-interval gateway 30
anyconnect ssl compression none
anyconnect dtls compression none
anyconnect modules value none
anyconnect ask none default anyconnect
anyconnect ssl df-bit-ignore disable

// Configures the tunnel-group to use the aaa & certificate authentication
tunnel-group ftdvpn-aaa-cert-auth type remote-access
tunnel-group ftdvpn-aaa-cert-auth general-attributes
address-pool ftdvpn-aaa-cert-pool
default-group-policy ftdvpn-aaa-cert-grp
// These settings are displayed in the 'show run all' command output. Start
authentication-server-group LOCAL
secondary-authentication-server-group none
no accounting-server-group
default-group-policy ftdvpn-aaa-cert-grp
username-from-certificate CN OU
secondary-username-from-certificate CN OU
authentication-attr-from-server primary
authenticated-session-username primary
username-from-certificate-choice second-certificate
secondary-username-from-certificate-choice second-certificate
// These settings are displayed in the 'show run all' command output. End
tunnel-group ftdvpn-aaa-cert-auth webvpn-attributes
authentication aaa certificate
pre-fill-username client
group-alias ftdvpn-aaa-cert-auth enable

Confirm in VPN Client

Step 1. Confirm Client Certificate

Navigate to Certificates - Current User > Personal > Certificates, check the client certificate used for authentication.

Confirm Client Certificate

Double click the client certificate, navigate to Details, check the detail of Subject.

• Subject : CN = sslVPNClientCN

Details of Client Certificate

Step 2. Confirm CA

Navigate to Certificates - Current User > Trusted Root Certification Authorities > Certificates, check the CA used for authentication.

• Issued By : ftd-ra-ca-common-name

Confirm CA

Verify

Step 1. Initiate VPN Connection

On the endpoint, initiate the Cisco Secure Client connection. The username is extracted from the client certificate, you need to input the password for VPN authentication.

Note: The username is extracted from the CN (Common Name) field of the client certificate in this document.

Initiate VPN Connection

Step 2. Confirm Active Sessions in FMC

Navigate to Analysis > Users > Active Sessions, check the active session for VPN authentication.

Confirm Active Session

Step 3. Confirm VPN Session in FTD CLI

Runshow vpn-sessiondb detail anyconnect command in FTD (Lina) CLI to confirm the VPN session.

ftd702# show vpn-sessiondb detail anyconnect

Session Type: AnyConnect Detailed

Username : sslVPNClientCN Index : 7
Assigned IP : 172.16.1.40 Public IP : 192.168.1.11
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-128 DTLS-Tunnel: (1)AES-GCM-256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA256 DTLS-Tunnel: (1)SHA384
Bytes Tx : 14780 Bytes Rx : 15386
Pkts Tx : 2 Pkts Rx : 37
Pkts Tx Drop : 0 Pkts Rx Drop : 0
Group Policy : ftdvpn-aaa-cert-grp Tunnel Group : ftdvpn-aaa-cert-auth
Login Time : 02:38:22 UTC Mon Jun 17 2024
Duration : 0h:01m:22s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : cb00718200007000666fa19e
Security Grp : none Tunnel Zone : 0

AnyConnect-Parent Tunnels: 1
SSL-Tunnel Tunnels: 1
DTLS-Tunnel Tunnels: 1

AnyConnect-Parent:
Tunnel ID : 7.1
Public IP : 192.168.1.11
Encryption : none Hashing : none 
TCP Src Port : 50035 TCP Dst Port : 443 
Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes 
Client OS : win 
Client OS Ver: 10.0.15063 
Client Type : AnyConnect
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.3.62
Bytes Tx : 7390 Bytes Rx : 0 
Pkts Tx : 1 Pkts Rx : 0 
Pkts Tx Drop : 0 Pkts Rx Drop : 0 

SSL-Tunnel:
Tunnel ID : 7.2
Assigned IP : 172.16.1.40 Public IP : 192.168.1.11
Encryption : AES-GCM-128 Hashing : SHA256 
Ciphersuite : TLS_AES_128_GCM_SHA256 
Encapsulation: TLSv1.3 TCP Src Port : 50042 
TCP Dst Port : 443 Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 28 Minutes 
Client OS : Windows 
Client Type : SSL VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.3.62
Bytes Tx : 7390 Bytes Rx : 2292 
Pkts Tx : 1 Pkts Rx : 3 
Pkts Tx Drop : 0 Pkts Rx Drop : 0 

DTLS-Tunnel:
Tunnel ID : 7.3
Assigned IP : 172.16.1.40 Public IP : 192.168.1.11
Encryption : AES-GCM-256 Hashing : SHA384 
Ciphersuite : ECDHE-ECDSA-AES256-GCM-SHA384 
Encapsulation: DTLSv1.2 UDP Src Port : 56382 
UDP Dst Port : 443 Auth Mode : Certificate and userPassword
Idle Time Out: 30 Minutes Idle TO Left : 29 Minutes 
Client OS : Windows 
Client Type : DTLS VPN Client
Client Ver : Cisco AnyConnect VPN Agent for Windows 5.1.3.62
Bytes Tx : 0 Bytes Rx : 13094 
Pkts Tx : 0 Pkts Rx : 34 
Pkts Tx Drop : 0 Pkts Rx Drop : 0

Step 4. Confirm Communication with Server

Initiate ping from VPN client to the Server, confirm that communication between the VPN client and the server is successful.

Ping succeeded

Run  capture in interface inside real-time command in FTD (Lina) CLI to confirm packet capture.

ftd702# capture in interface inside real-time
Use ctrl-c to terminate real-time capture

1: 03:39:25.729881 172.16.1.40 > 192.168.10.11 icmp: echo request
2: 03:39:25.730766 192.168.10.11 > 172.16.1.40 icmp: echo reply
3: 03:39:26.816211 172.16.1.40 > 192.168.10.11 icmp: echo request
4: 03:39:26.818683 192.168.10.11 > 172.16.1.40 icmp: echo reply
5: 03:39:27.791676 172.16.1.40 > 192.168.10.11 icmp: echo request
6: 03:39:27.792195 192.168.10.11 > 172.16.1.40 icmp: echo reply
7: 03:39:28.807789 172.16.1.40 > 192.168.10.11 icmp: echo request
8: 03:39:28.808399 192.168.10.11 > 172.16.1.40 icmp: echo reply

Troubleshoot

You can expect to find information about VPN authentication in the debug syslog of Lina engine and in the DART file on Windows PC.

This is an example of debug logs in the Lina engine.

// Certificate Authentication
Jun 17 2024 02:38:03: %FTD-7-717029: Identified client certificate within certificate chain. serial number: 6EC79930B231EDAF, subject name: CN=sslVPNClientCN,OU=sslVPNClientOU,O=Cisco,L=Tokyo,ST=Tokyo,C=JP.
Jun 17 2024 02:38:03: %FTD-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
Jun 17 2024 02:38:03: %FTD-6-717022: Certificate was successfully validated. serial number: 6EC79930B231EDAF, subject name:  CN=sslVPNClientCN,OU=sslVPNClientOU,O=Cisco,L=Tokyo,ST=Tokyo,C=JP.

// Extract username from the CN (Common Name) field
Jun 17 2024 02:38:03: %FTD-7-113028: Extraction of username from VPN client certificate has been requested.  [Request 5]
Jun 17 2024 02:38:03: %FTD-7-113028: Extraction of username from VPN client certificate has completed.  [Request 5]

// AAA Authentication
Jun 17 2024 02:38:22: %FTD-6-113012: AAA user authentication Successful : local database : user = sslVPNClientCN
Jun 17 2024 02:38:22: %FTD-6-113009: AAA retrieved default group policy (ftdvpn-aaa-cert-grp) for user = sslVPNClientCN
Jun 17 2024 02:38:22: %FTD-6-113008: AAA transaction status ACCEPT : user = sslVPNClientCN

These debugs can be run from the diagnostic CLI of the FTD, which provides information you can use in order to troubleshoot your configuration.

• debug crypto ca 14
• debug webvpn anyconnect 255
• debug crypto ike-common 255

Reference

Configure AnyConnect Remote Access VPN on FTD

Configure Anyconnect Certificate Based Authentication for Mobile Access